Daily Kos

IMPORTANT: Security Breach affects Act For Change Subscribers

by CleverNickName

Sat Nov 03, 2007 at 10:58:43 PM PDT

I suspect many in the Daily Kos community are Working Assets members, and probably participate in their Act for Change program. If you're one of those people, you are likely affected by a security breach that Working for Change just notified its members of via the following e-mail:

Dear Subscriber,

We regret to inform you that the company we contract with to provide
online services, Convio, has identified a breach of one of their
internet security systems. There was no breach of
personally-identifiable information or credit card data, but your
email address and password for managing your Act For Change and
Working For Change subscriptions were obtained by an unauthorized
third party.

Full e-mail, and how it may affect you, on the other side of the jump.

IMPORTANT NOTICE FROM ACTFORCHANGE

Dear Subscriber,

We regret to inform you that the company we contract with to provide
online services, Convio, has identified a breach of one of their
internet security systems. There was no breach of
personally-identifiable information or credit card data, but your
email address and password for managing your Act For Change and
Working For Change subscriptions were obtained by an unauthorized
third party.

There is potential for misuse of this information should you use the
same email address and password on other personal accounts (e.g,
banking, PayPal, Amazon, etc.) Convio would like to advise you of
important steps that you can and should take to prevent misuse of your
personal information:

- If this email address and password are used together on any other
accounts, it is recommended that you change your password on those
accounts and sites immediately. We recognize that this is an enormous
inconvenience, but this step will minimize your security risk.

- Pay careful attention to emails you may receive requesting personal
and financial information, and only provide it when you can
confidently confirm that it has come from a trusted organization.

- Report any suspicious activity immediately to the account provider
(bank, credit card, etc.) and to credit bureaus. We take your privacy
seriously, and as a protective step have immediately deleted all
passwords from the Act For Change and Working For Change website and
subscriptions. This will not affect your subscriptions or site usage,
and you will simply be prompted to create a new password when you go
to manage your account.

Our vendor Convio has asked us to convey their deepest apology and
assurance that security has been restored. If you have any questions
or concerns, please feel free to call (800) 788-0898* or email
customerservice@wafs.com.

Stephen Gunn
Vice President, Operations
Working Assets

* Customer Service Hours: Monday-Friday 5:00am - 7:30pm, Saturday
8:00am - 4:30pm PST

It's never a good idea to use the same e-mail and password combination for more than one site, but in a world where we all have to manage dozens of unique logins a day, convenience often takes a back seat to security. If you've read this far, allow me to suggest password salting as a solution for managing your various logins:

A salt is defined as a random number that is added to the encryption key or to a password to protect them from disclosure.  But in this case, it’s not a random number (since that wouldn’t be easy to remember either), but rather, it’s a combination of letters that you somehow derive from the site name, and somehow insert into your usual password.

For example.

Let’s say you’re creating a Hotmail account and you need to come up with a password.  Your usual password is ‘monkey7’.  But rather than just typing that in, you alter ‘monkey7’ with some characters that are unique to the site you’re visiting.

Maybe it’s the first two letters of the site name.  Maybe it’s the first letter and the last letter, or the first and third letters.  Whatever it is, pick a scheme and stick to it.

Let’s say you’ve chosen the first and third letters, and you’re going to put it before the 7.  Your Hotmail password is now ‘monkeyht7’.  Your Amazon password is ‘monkeyaa7’.  Your Yahoo password is ‘monkeyyh7’.  You get the picture.

Don’t use this exact scheme.  Come up with your own.  If everyone is using the same salting method, then it’s easy to crack, but with hundreds or thousands of salting algorithms, your password is reasonably safe.

Note that reasonably is relative.  This is not super-secure - it’s hardly secure at all - but it is definitely more more secure than using the same password everywhere, and it’s easy to do.  

Happy Salting.

Tags: Security, Passwords, Act for Change (all tags) :: Previous Tag Versions

Permalink | 16 comments

  •  Thanks Wil. (0+ / 0-)

    I have a WA credit card and cell phone. Seems like these security breaches are par for the course these days. Which is not to say we shouldn't be pissed about them, of course.

    Don't trust any UID over [insert current highest number here].

    by pattyp on Sat Nov 03, 2007 at 10:18:08 PM PDT

  •  CleverIdea (2+ / 0-)

    Recommended by:
    joynow, raines

    With the minor caveat of multiple sites which share a common logon — drugstore.com and beauty.com leap to mind as one obvious example; outpost.com and frys.com are another — that's a really good idea, which is why I will doubtlessly fail to implement it. After all, who could possibly guess "password" as my password?








    ooops


    "I play a street-wise pimp" — Al Gore

    by Ray Radlein on Sat Nov 03, 2007 at 10:30:09 PM PDT

  •  Appreciate the tip. Thanks for the headsup. n/t (0+ / 0-)

    Damn the neo-cons! Full speed ahead!

    by Aaa T Tudeattack on Sat Nov 03, 2007 at 11:10:38 PM PDT

  •  thanks!! n/t (0+ / 0-)

    by cdale777 on Sat Nov 03, 2007 at 11:28:21 PM PDT

  •  Thanks for the heads up (0+ / 0-)

    Will Working Assets provide any compensation to users who are actually harmed by the F-up?  

    Netroots Nation: Changing the face of progressive politics.

    by pontificator on Sat Nov 03, 2007 at 11:58:18 PM PDT

  •  I think the problem (0+ / 0-)

    was this data center break-in in Chicago.

    ID theft is getting more and more of a big time operation.

    by cdale777 on Sun Nov 04, 2007 at 12:10:42 AM PDT

  •  I received an email this morning from (1+ / 0-)

    Recommended by:
    Owllwoman

    ActForChange warning me of a security breach.  The problem I have is that I have no account with this organization or any of the associated organizations I found on their website.  As far as I can tell, I have never even contacted these organizations and certainly never given them any personal information or any of my passwords.  

    I mean no disrespect, but how do I know that this diary is not part of some scam?  Don't get upset, I'm just trying to understand how DKos screens its members.

    If you don't have an earth-shaking idea, get one, you'll love building a better world.

    by hestal on Sun Nov 04, 2007 at 03:28:51 AM PDT

    •  Maybe you signed on to one of (0+ / 0-)

      their petitions?

      "Though the Mills of the Gods grind slowly,Yet they grind exceeding small."

      by Owllwoman on Sun Nov 04, 2007 at 03:57:35 AM PDT

      [ Parent ]

      •  So there is no screening. n/t (0+ / 0-)

        If you don't have an earth-shaking idea, get one, you'll love building a better world.

        by hestal on Sun Nov 04, 2007 at 05:02:37 AM PDT

        [ Parent ]

        •  It would be best if you asked that question (0+ / 0-)

          in an open thread so a moderator could answer it. But based on the FAQ, the policy is that you send in the Kos registration form then "After a 24 hour waiting period, you will be allowed to post comments. After a 1 week waiting period, you will be allowed to post diaries. These waiting periods are intended to discourage "drive-by" trolling."

          As far as I know, there has been no screening of members, which is common for a board of this type.

          Again, the person writing this diary is not asking you to do anything risky. He's asking you to protect yourself. I don't see why that would require screening by the board.

          Refuge Watch -- news from America's national wildlife refuges

          by Naturegal on Sun Nov 04, 2007 at 05:19:41 AM PDT

          [ Parent ]

    •  Advising you to make your passwords more secure (1+ / 0-)

      Recommended by:
      skohayes

      doesn't really fall into the area of potential scams.

      And this diary doesn't include a link where they'll ask you to enter personal information. Now that's a scam.

      This diary is just offering good advice on protecting your data.

      Refuge Watch -- news from America's national wildlife refuges

      by Naturegal on Sun Nov 04, 2007 at 04:34:37 AM PDT

      [ Parent ]

    •  I got one of these alerts (0+ / 0-)

      and based on the custom email address I used only with Working Assets' "Act for Change" email notice service, it is either coming from them or coming from whoever breached their system, so either way it validates the message.

      Note that unlike scams, the message recommends that people change their passwords... and the URL (if any) embedded is real.

      by raines on Sun Nov 04, 2007 at 05:38:16 AM PDT

      [ Parent ]

  •  I'm from working assets (2+ / 0-)

    Recommended by:
    CleverNickName, dougymi

    this is becky bond and i'm the political director at working assets.

    unfortunately, this is real. convio was the subject of a malicious hacking attack and some of our members were affected as a result of their security breach.

    we take security very, very seriously. please note: the database holding account information related to Working Assets long distance, wireless and credit card accounts was not affected.

    yesterday we received a call from convio, the company that runs the platform that powers many progressive advocacy email programs. lots of big and small progressive orgs use this third-party vendor to manage the targeting needed for our email and petition campaigns to congress and state legislatures.

    if you've ever signed an online petition, chances are the messages were routed in some way by convio.

    i would expect that several progressive organizations will be sending out similar emails as they were likely informed yesterday as well.

    our members trust us with a lot. some of you have our credit cards and mobile phones. many of you use our  timely and researched political to inform your activism. we did everything we could to get the message from our vendor to our members so that they could take appropriate steps to protect any other online accounts that could be linked to their convio password.

    it's what we would want someone to do for us. so that's why we immediately got this email out to our members.

    the breach was at convio and not working assets. oddly, i was actually the first person convio reached with news about the breach because their chief technology guy had my mobile phone number. i immediately got them on the phone with Steve Gunn our vice president of operations - and the one who signed the email above.

    from the moment we received the phone call, we started working to pull the list of all members affected by the security breach (it was only a subset of our total list). we had convio delete all compromised passwords from the database and dispatched an email to affected users immediately.

    i can tell you that this breach only affected email addresses and the passwords used to log on and manage any activism email subscriptions you have at working assets / actforchange. it did not affect any customer data.

    for example, if you wanted to sign up for an events newsletter in addition to getting email alerts about legislation moving through congress, you would need to log into your account and check the boxes next to the feeds you were interested in receiving.

    at the risk of getting totally spammed, my email is bbond at working assets dot com and i'm happy to authenticate.

    FYI, we're holding a big fundraiser for voter registration with deborah bowen today in san francisco - http://www.workingassets.com/... so i won't be returning emails after about 2.00 pm PT.

    by vote4pedro on Sun Nov 04, 2007 at 07:49:25 AM PDT

Permalink | 16 comments